Connect to Internet from Windows server 2008

When trying to exchange the old gateway server OS 2003 to a new server with OS 2008 I have problems to connect to the internet from the OS-2008 server despite I can ping the gateway. In OS-2003 you have the option "Connect using a broadband connection that is always on" which is missing in OS-2008. The only option I have is "Connect using a broadband connection that requires a username and a password", which is also an option in OS-2003. When I use the available option in OS-2008 and leave username and password blank I receive an error and no connection is established. Both servers NIC are configured identically (fix ip-address: 10.1.1.1, subnet mask 255.255.255.0 and default gateway 10.1.1.254) but not connected at the same time. For testing I move the ethernet cable from one server to the other. What can I do?

i think there are many things to do.
first think about the role thge server should have.
- if the server should be the gateway for others there must be some kind of routing or proxy.
(are some applications at your old server?

if you connect the LAN-interface and can ping the gateway (10.1.1.254) you should also be able to ping (or traceroute) www.heise.de (or the ip 193.99.144.85)
if you only are able to ping the IP you need a dns-entry.

Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.

Answer to dkotte: The old server has an ISA installed and works as a gateway for the internal network to the internet. The configuration looks like this. Internet-> (cable connection with fix ip-address)->broadband modem->Cisco firewall->Old "gateway"-server->LAN. I think the gateway 10.1.1.254 is the gateway located in the Cisco firewall.

You have connectivity to the internet then but cannot access web sites from a browser?

Download and run the BPA http:#a37816754 . It will run specific tests and help you narrow this down.

0

AndHofOwnerAuthor Commented: 2012-04-06

If the dmz is between I do not know. I have not set it up. However The cable from the broadband modem is connected to the Cisco PIX and one outlet frpm the PIX is connected to the ISA-server and one outlet is connect to our webpage-server (it is named on the cable dmz)

can you ping www.heise.de also?
can you access the ip 193.99.144.85 via webbrowser?

if you cannot ping the name but access the ip with webbrowser you have to setup the name resolution (DNS) ate the TMG.

are you able to access your own Webserver by ip or name?

0

AndHofOwnerAuthor Commented: 2012-04-07

I can either ping www.heise.de or access ip 193.99.144.85 via webbrowser. I can access our webserver by name (return local DMZ ip-no). I can ping DMZ ip-no for the web-server but I cannot ping the global web-server ip-no

0

AndHofOwnerAuthor Commented: 2012-04-07

What does it mean to setup DNS at the TMG? The NIC facing Cisco PIX does not have any DNS-server specified in the fully working old 2003-server.

every server need DNS to resolve internet-names to Ip addresses.
If you try to ping www.heise.de and the answer are 193.99.144.85 is not reacheble the nameresolution works.
also "nslookup www.heise.de" should present this IP.
if you are not able to access the webpage via IP (in this case the nameresolution cant be the problem) - which message you receive?
Are the error-message from the TMG?

i think the error are related to the ISA/TMG. I would suggest to add the matching topic.

0

AndHofOwnerAuthor Commented: 2012-04-07

If I run the old 2003-ISA-server, the connection to the internet is fast but if I disconnect the LAN-NIC-cable the connection to the internet is not possible any longer despite the NIC facing Cisco is still connected, i.e. the connection to the internet is untouched. If I connect the cable to the LAN-NIC again the connection to the internet is immediately. What does the internal LAN do in order to brows the internet?
If I run the TMG-server and try to connect the internet it fails as described before. If I run the diagnostic option on the failured web page the result is: The DNS server isn’t responding.
The TMG-server is a member of the LAN-domain. The DNS of the TMG-server

0

AndHofOwnerAuthor Commented: 2012-04-07

The 2003-ISA-server does not have any preferred DNS-servers and therefore I did not configure the NIC with any either. After googling on the DNS-subject I found a discussion about almost the same subject as my problem. The proposal was to enter 208.67.222.222 and 208.67.220.220 as preferred DNS-servers on the gateway. I did this on my NIC facing Cisco and immediately I could brows the internet from the 2008-TMG-server. However, now I have moved the problem to the LAN-computers. When I try to brows internet from my LAN-computer I cannot do this and after diagnostic search the answer becomes the same as before for the 2008-TMG-server, The DNS-server isn't responding.

you should have one (or two) internal DNS server within the domain.
this server should be configured at the client computers.
this server should have an entry for the "DNS-forwarder". This is the external DNS-Server (possible 208.67.222.222)
your internal dns-server have to reach the external DNS-server.
try from your local DNS-Server
- nslookup
- server 208.67.222.222
- www.heise.de

this should work for the internal DNS if this server should resolve the names for the clients.

0

AndHofOwnerAuthor Commented: 2012-04-08

I discovered that the problem now is that I cannot ping the TMG-server from the LAN-computers. I suppose it's therefore the LAN-computers cannot reach the internet (the LAN-computers do not "see" the gateway. I have unistalled and installed the TMG 3 times in order to be sure I have not missed anything. The second time I installed the program I started to make the configuration by using the TMG starting wizard and before I imported the settings from the ISA-server. This turned out to be a misstake. When I tried to import the ISA-settings an error occured saying something like "No CA certificate selected for https forward bridges". The importation must be done before you run the starting configuration wizard. So this I did the third time I installed the software. This make me beleave that the TMG-server is configured exactly as the ISA-server. I still have the suspicion that there is something in the LAN settings which makes the ISA-server working. I have not yet got an answer why the ISA server must be connected to the LAN in order to reach the Internet. As soon as I disconnect the LAN-cable and just some seconds after the internet is no longer reachable. I have looked into the DNS-server (active in the domain controller server (SBS 2003) in our LAN) but I cannot see any item with an external DNS which the ISA server uses for reachning the internet (as I said before the NIC facing external does not have any Preferred DNS-servers configured).

possible the TMG (a good firewall) dont let you ping the device.
after trying to ping look to the arp cache.
if there are an entry with the MAC- and IP-Address of your TMG - you are able to reach this device. Then the TMG only dont answer you.
but im not an TMG-Specialist.
if your DNS has no forwarder-entries ... i think the DNS goes to the dns-root-servers and search the name frome there.
this also can work, but the DNS then has to access many different servers. At the TMG should be a rule like this: "your DNS-Server to ANY service DNS"

Thank you for your proposals. I will not be in the office the next coming 1-2 weeks. I will continue the work when I'm back.

0

AndHofOwnerAuthor Commented: 2012-05-05

I'm back in the office and have almost forgotten this issue. However I think I see what is the problem but do not know how to resolve it. The old ISA server has 2 NICs. One called internal and one called external. The external is configured with a static ip-address 10.1.1.1, subnet 255.255.255.0 and a gateway 10.1.1.254. No preferred or alternate DNS server is specified. The internal NIC is connected to the LAN.
The NIC called external is connected to the Cisco Pix->Broadband modem->ISP and has a fix ip address 10.1.1.1, subnet mask 255.255.255.0 and a default gateway 10.1.1.254. No preferred or alternate DNS server is specified. However under Advanced -> IP-settings there is more IP-addresses specified: 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 and 10.1.1.5.

The new TMG server has also 2 NICs and I have configured the TCP/IP settings exactly the same.

Here follows some findings:
Old ISA server is connected to the LAN and the Cisco Pix
I reach internet emediately from ISA server and LAN clients. I can ping 10.1.1.1-10.1.1.5 from ISA server and LAN clients. I can ping the external gateway 10.1.1.254 from the ISA server and the LAN clients.

New TMG server is connected to the LAN and the Cisco Pix
I do not reach internet from the TMG server. However, if I specify the DNS servers given by the ISP as the preferred or alternate DNS servers in the external NIC I reach the internet. I can ping 10.1.1.1-10.1.1.5 from TMG server and LAN clients. I can ping the external gateway 10.1.1.254 from the TMG server but not from the LAN clients.

It seemsed to be the fact I cannot ping 10.1.1.254 from the LAN clients which makes it impossible to reach internet from the LAN clients. What can be the problem? Why do I have to specify preferred or alternate DNS servers for the external NIC of the TMG server when I do not need it for the old ISA-server in order to reach internet from the server? Where is the gateway 10.1.1.254 located? In the Pix?

look to the log at the asa. There you should see, why the LAN-Clients are unable to ping the PIX.

possible the ISA are the only device, which are able to ping/access the PIX and internet.

the only possible connection over ISA using NAT.
Means: PIX see every connection sourced by the ISA.
The TMG con use routing without NAT also.
means: (possible) PIX see packets sourced by internal LAN-clients.
this should be visible at the Pix-logs.

if this is the problem you have to configure NAT at the TMG or extend the range of allowed clients at the PIX.

0

AndHofOwnerAuthor Commented: 2012-05-08

It was a TMG issue. I had only alllowed http and https traffic from internal to external and not the DNS request. When I changed "This rule applies to All outbound traffic" instead of selected protocols HTTP and HTTPS it works fine.

0

AndHofOwnerAuthor Commented: 2012-05-13

I found the solution. What else could I say? However I gave myself the lowest grade for the correct answe.